AWS-EC2-VPC-Endpoint-Exposed

Severity : Critical

Description: This control ensures that VPC endpoint policy only grant access permissions to specific principals and is not open access to everyone. When creating the VPC endpoint, it allows to attach one endpoint policy to it. If no policy is attached , it adds a default policy with principal, actions, and Resources statements all set to wildcard(*). This policy allows full access to any resources in VPC with full access to services behind endpoint. Following the principle of least privilege access management to reduce the risk of accidental changes and unintended disclosure of highly privileged data, It is recommend to limit endpoint policy to specific actions, resources and principal.

Remediation Steps:

Perform following to update endpoint policy :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to VPC console.

3. In the navigation pane, choose Endpoint.

4. Select Endpoint reported.

5. Select Edit to update the actions with specific actions, resources with resources ARN accessible thru endpoint and principal statement to specific IAM role, group, users or add condition statement to validate the principal in the policy.

6. Choose Save changes.

Important:

• If you do modify a policy, it can take a few minutes for the changes to take effect.

Reference :

• Control access to VPC endpoints using endpoint policies - Amazon Virtual Private Cloud

• Share your services through AWS PrivateLink - Amazon Virtual Private Cloud